The traditional security perimeter is proving no longer an effective cyber security control and fast growing technologies like cloud, mobile and virtualization make the boundaries of an organization blurry. For many years, organizations have protected their valuable and sensitive information by building a fence around those assets. All the data following in and out of an organization was either via a single internet access point or on physical devices. That meant a traditional perimeter was an effective measure because the boundaries were known.
As long as the internet access was controlled by the data that flowed through it, it was possible to protect, monitor, and control that data. Organizations protected the internet access with firewalls, VPNs, access controls, IDS, IPS, SIEM’s, email gateways, and so forth, building multiple levels of security on the so-called perimeter. Then on physical devices, systems management and antivirus protected those systems and kept them updated with the latest security patches. This is a traditional security approach that has been used for almost 30 years, but in today’s world, it is no longer effective.
Technology has significantly changed the world. In the past 10 years, we have seen the physical boundaries of an organization almost completely disappear. This has been a result of mobility and connectivity with almost every person in an organization becoming an internet access point. With the ability to simply connect their mobile devices together and enable a personal hotspot the method of controlling the perimeter became much more difficult. At an average transfer speed of 50MB per second, a person could transfer almost 600GB of data out of an organization within a day via a connection that is not secure, nor monitored.
This leaves us with the question – what is the size of your data vaults that contain sensitive data?
This, in combination with cloud and virtualization, makes data today so much more transportable than ever before. With data moving at fast transfer rates and more cloud services allowing data to be processed and easily stored in the cloud, these changes and technological advancements forces the traditional perimeter to evolve.
If we look at all the cyber breach reports the past year – we can see it has been busy for cyber criminals with public reports stating more than 500 data breaches and more than 3 billion records exposed in 2016.
So why do we continue to see so many cyber breaches? If we look at why many of the cyber breaches in the past year have occurred it comes down to three major factors that can be categorized into human factor, identities and credentials, and vulnerabilities. With the digital social society, we are sharing more information, ultimately causing ourselves to be much more exposed to social engineering and targeted spear phishing attacks. The ultimate goal being to compromise our systems for financial fraud or to steal our identities to access the company we are entrusted with protecting. When our identities are stolen, it provides the attacker with the ease of bypassing the traditional security perimeter undetected. If the identity has access to privilege accounts they can easily carry out malicious activity that can sometimes go undetected for more than 200 days or until the malicious activity has already occurred.
In the vast majority of breaches approximately 80% percent of cyber incidents result from stolen identities, credentials and privileged accounts which continue to be the prime target for hackers because they unlock the access required to exploit virtually any part of an organization’s network. Hacking privileged credentials can mean the difference between a simple perimeter breach and one that could lead to a cyber catastrophe. Once attackers gain access, they can escalate their privileges and move through networks to identify and compromise confidential information or use ransomware to encrypt critical business data.
In today’s world organizations can no longer rely on the traditional security perimeter as the only cyber security measure. It is ultimately important that the new cyber security perimeter is with the Identity and Access of the employee. This is the next generation security perimeter that can be effective in a world where systems and data can be located anywhere and be accessed at any time as long as the identity and access can be validated and trusted. We have seen successful implementations where even countries like Estonia have taken an approach to enable citizens and the government to be able to interact seamlessly via digital identities. This has allowed Estonian citizens to vote, bank, and file taxes from any location in the world.
It also enables Estonia to introduce the world’s first E-Resident program. Organizations can take similar approaches by embracing Identity and Access Management as the way to protect their data and systems. This can be done by taking an approach at securing the digital identities, using multifactor authentication, securing privileged access and data, and continuously checking the reputation and behaviour of those identities. This ultimately moves the focus to the data and the system or person who needs access to it and not the so-called traditional security perimeter.
You can’t protect what you don’t know exists. So, before you launch into a privileged account lockdown project you need to start with mapping out how many accounts exist. Most of the time organizations significantly underestimate.
Administrator on Windows and root on Linux are just the beginning. Let’s think about a web application farm running some off the shelf software package. Let’s say there are three web servers and two database servers. One OS root/admin account per system is a given. Next, there’s the DB super user account such as “sa” on SQL Server. Then, if the application is running on Windows/IIS there are:
• Service accounts for the DB
• Service accounts for the application
• AppPool identities
• Accounts used by the application to access the database
And don’t forget the hardware level accounts used for logging on to the motherboard itself for remote maintenance and control. These should all be considered privileged accounts.
An effective policy and approach on Identity and Access management can help a company accelerate new technology adoptions and at the same time help avoid becoming the next victim of cybercrime.
Where can you start to get ahead? Here’s a list to get you in the right direction:
1. Educate key stakeholders on Identity Access Management
2. Discovery identities and privileged accounts
3. Automate the management and security of privileged accounts
4. Adopt and implement policies
5. Get better visibility of Identity and Privilege Account usage and compliance
To learn more about the requirements you need for a successful IAM and PAM cybersecurity strategy, please register for our upcoming webinar, “Extend IAM into Unstructured Data and Privileged Access Management” with STEALTHbits’ CTO Jonathan Sander.
Want additional tips? Check out my top 10 cyber security tips every company should consider in 2017.